JPAAWGHowever, text messages, OTT messaging, and social media are rapidly rising in popularity •...
Transcript of JPAAWGHowever, text messages, OTT messaging, and social media are rapidly rising in popularity •...
WMC GLOBAL Proprietary and Confidential | Do Not Distribute
© 2018 WMC GLOBAL
JPAAWG
Jaclyn AbramsVP Threat IntelligenceWMC Global
November 7, 2018
Text Messaging Updates:SMS Spam and RCS Safety
TEXT MESSAGING ATTACKSUpdate
3
THREAT TRENDSAdvancing Attack Types
PHISHING
Credentialacquisition
TROJANDELIVERY
Malicious download, installation
PHARMING
DNS corruption,redirection
SCREEN-LOGGING
Image and interaction recording
KEYLOGGING
Input tracking
iFRAME & BHO
iFrame- or extension-
based downloads
MITMATTACKS
Data interception
TRANSACTIONPOISONING
Data modification
4
MOBILE SHIFT
Email is still the attack delivery vector of choice
• Corporations use email every day
• Push media
• Can carry payloads
• Easy to spoof
However, text messages, OTT messaging, and social media are rapidly rising in popularity
• With the anticipated rise of RCS, text messaging takes on many of the characteristics that makes email so appealing for threat delivery
Messages—regardless of platform—are only the initiation point for a threat; the real danger occurs once a user engages with the content
Advancing Attack Types
5
MOBILE-TARGETED MESSAGING ATTACKSSMS is the Gateway to Consumer’s Lives
Pervasiveness• Mobile accounts for 70% of consumers’ time
spent with digital media• Mobile continues to surpass desktop usage
for web access worldwide
Cost Effectiveness• Inexpensive infrastructure• Scalable• Repeatable
Accessibility• Widely available• Cross-platform-delivery capable• Accessible from disparate entry points• Easy first interaction for various exploits
Anonymity• Low risk of attribution• Low risk of retaliation
6
ATTACK ENTRY POINTS
Unvetted and Shared Codes
Grey route to ecosystem entry
Multiple layers behind registered entities enable obfuscation
• Enables code swapping
• Masks actual message senders
• Enables snowshoeing
In the last year, abuse on shared codes has skyrocketed as blocking has become more aggressive in other areas
Shared Codes and Over-the-Top Platforms
Over-the-Top Platforms
Entry via Over-the-Top (OTT) platforms offering SMS forwarding options
• Harder to track OTT account ownership without direct engagement with OTT services
• Circumvents upfront safeguards and per-code volume caps
• Facebook and Twitter SMS forwarding are major source of these attacks
7
ATTACK CATEGORIES
Social Engineering
Credential phishing
Fake accounts set up on Facebook, LinkedIn, and Twitter impersonate known individuals within an organization and engage with employees as trusted entities
Buying and selling scams, especially over Craigslist
Event and issue-based attacks
• Lottery jackpots
• Holidays or major events (sports, elections, etc.)
• Health care open enrollment periods
Popular Attack Types
Malware Distribution
Contributing factors
• Kaspersky forecasted that espionage will be shifting heavily to mobile and apps
• Mobile banking has seen a rapid rise in popularity, and is thus a prime target
SMS used as attack delivery vector, prompting link and media interaction
• Malware delivery sites
• Side-loaded apps
• RCS file transfer
Bespoke exploit kits can be created to capture specific desired data (e.g., SpyEye)
• SMS generation and receipt to defeat 2FA
8
ANATOMY OF AN ATTACKCore Components
Attack Message
Variable text generation
Variable URL generation
Redirects
Variable redirect chain
• Device
• OS
• Operator network
• Location
• Access time
Landing Page
Interaction points
Data collection
Malware installation
SupportingInfrastructure
Sites
Servers
Accounts
IPs
Threat ActorInformation
Identity
Location
Contact info
Relationships
9
US-TARGETED ATTACKS
Political Messages
• Not attacks, per se, but high complaint volumes
• Spikes during election lead-up and periods of high political engagement
Socially Engineered Swatting
• Messaging sent to multiple recipients threatening bodily harm and containing another phone number, intending to implicate the contained phone number as an involved party
Recent Attacks
- Bank of America
- Chase
Phish Hopper
• Pervasive attack targeting major brands
• Leverages a flexible phishing kit to hop between major brands
- Wells Fargo
• Shifts IPs
Coinbase Phishing
• Increased interest in phishing bitcoin accounts
• Attacks ramp up over holidays to evade detection
• Attack shifts domains, IPs, and sending accounts continuously, phasing the transition between infrastructure
10
JAPAN-TARGETED ATTACKS
Malware Distribution
• Sagawa Express-branded attack
- Urged users to download app-disguised malware
- Some versions of the attack also collected user PII
- Malware stole IDs, passwords, and credit card information
- Malware hijacked devices to send additional smishing messages
Phishing
• SMS, email, and fake app attacks targeting LINE, Amazon, MyJCB, AppleID, BitCoincredentials
Recent Attack Example
RCSEmerging Threats
12
RCS DEPLOYMENTJapan Leads the Way
Image courtesy of GSMAhttps://www.gsma.com/futurenetworks/rcs/global-launches/
64 Operators Across 45 Countries
13
RCS CAPABILITIES
RCS brings app-like functionality to text messaging
• Typing indicators
• Read receipts
• Link interactions
• File transfers
Introduces Messaging as a Platform (MaaP) functionality for A2P Messaging
• Certified senders with branding and logos
• Chatbots
• Rich cards
Enhanced Experiences and Interactivity
• Interaction components
• Embedded branding
• Multi-device messaging
• Geolocation
• Purchase of items sold by chatbots
• Privacy controls
• Spam protections
14
RCS CAPABILITIESExamples
QR CodesTickets, tracking, redemptions
Image courtesy of GSMA
Verified SenderVetted and identified
Custom BrandingNames, colors, logos
Suggested RepliesCustomized response options
Suggested ActionsURLs, maps, calendars, dialers
Rich CardsImages, videos, GIFs
15
RCS SAFETY
Verified Sender Onboarding
• Vetting requirements
• Verification procedures
• Proof of identity/impersonation prevention
Entity and Message Blocking
• Thresholds for blocking implementation
• Prohibited behaviors
• Abuse pattern establishment
• User-level vs. operator-level blocking
Areas for Planning
Abuse Reporting and Spam Control
• Recipients
• Attack data sharing
• Systems and implementations
Interactivity Management
• Redirection
• Downloads
• File transfers
QUESTIONS?CONTACT ME
Jaclyn AbramsVP Threat IntelligenceWMC [email protected]